Account takeovers via financial institution impersonation prompts FBI warning

The Internet Crime Complaint Center (IC3) run by the U.S. FBI has issued a public service announcement warning Americans about a wave of account takeover attacks (ATOs) in which financial institution support staff are impersonated.

So far in calendar 2025, IC3 has received more than 5,100 ATO fraud complaints, totalling more than $262 million in stolen money.

The alert describes how ATO attacks are carried out. Sometimes attacks take the form of social engineering that manipulates victims into sharing their login credentials multi-factor authentication (MFA) or one-time passcodes (OTP) credentials. Sometimes they are carried out with phishing domains or websites that look like a familiar financial institution or organization. These may be presented as advertisements that mimic legitimate business as part of a technique known as SEO (search engine optimization) poisoning.

The good news

The announcement recommends taking care when sharing information online not to make public details that could be used by hackers to guess your password. People should regularly monitor their financial accounts and “always use unique, complex passwords. IC3 also advises avoiding fraudulent login pages that spoof the real website by using bookmarks or favorites designations to navigate to websites where they have accounts, and to be suspicious of calls from people claiming to employees of their bank or any other company, even if caller ID supports their claim.

For organizations, technologies and resources to help defend against ATOs and sophisticated attacks against financial accounts are available, and the industry is aligned on what businesses should do.

A new ebook from Persona looks at the 17 top signals to use as input for decisions about defending against ATOs, synthetic IDs and deepfakes. Persona recommends combining identity verification with device intelligence, behavioral analytics and other signals, and the report details how to layer those sources and interpret the information they provide.

Shufti Pro identifies deepfakes, synthetic identities and phishing kits as key enablers for ATOs in a new whitepaper. “Preventing Account Takeover Fraud with Multilayered Defense” brings together data from FBI IC3 reports, as well as European law enforcement and banking sources and case studies. The company explains how attackers are bypassing weak authentication systems and how to move beyond traditional MFA with technologies, again, like behavioral biometrics and analytics, device fingerprinting and unified defenses.

The Biometrics Institute has released a good practice guide on “Biometrics and Account Recovery” to help organizations strengthen defenses around one of the main targets for ATO attacks.

Account recovery processes that rely on passwords or easily exploited two-factor authentication are vulnerable, the Institute says. It offers 10 recommendations to harden account recovery against attack in the guide, the twentieth good practice tool launched by the Biometrics Institute.

In a comment emailed to Biometric Update, Saviynt Chief Trust Officer Jim Routh suggests manual identity verification through a phone call or an SMS message is the most effective way to prevent these attacks from succeeding.

Most of the incidents referenced in the IC3 report involve compromised credentials and attackers highly familiar with the processes and workflows used by financial institutions.

“The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available,” Routh says.

The bad news

For those who have fallen victim to a successful ATO attack, the bulletin recommends contacting your financial institution. It can issue a “Hold Harmless Letter” or “Letter of Indemnity,” which “may reduce or eliminate your financial losses.” Report the crime to the IC3. Reset or revoke the compromised credentials. File a complaint with the IC3.

The IC3 also recommends contacting the impersonated company so they can do something about it. And consumers can keep up to date with threats at IC3’s website.

In other words; make some time.  You have homework.

Article Topics

behavioral biometrics  |  biometrics  |  Biometrics Institute  |  financial services  |  multifactor authentication  |  Persona  |  Shufti